Are you still using Windows logon scripts? They’re no longer the Windows administrator’s necessary evil for desktop...
configuration control. These days, Group Policy Preferences can accomplish virtually anything a logon script can do.
Many IT shops still use logon scripts solely because of their ability to map drives to shares. Until GPPs came around, logon scripts were the easiest way to associate those drives with specific users and groups. Logon scripts execute as the user logs on, so adding a net use into that script makes it so H: drives map to home folders and S: drives to shared ones. Add in a little conditional script logic, and you can map drives based on each user’s identity.
Drive Maps are a GPP found under a Group Policy Object’s User Configuration half. Creating yours there enables the same mapping of drives to users, but without all the nasty scripting.
Not every user needs environment variables set, nor does every application. Therefore, many logon scripts required some fairly complex logic to confirm variables were set based on user, machine, and even application.
GPPs greatly simplify this process. Found in a GPO’s Computer Configuration half, environment variables can be configured on a per-machine basis. Even better, by tagging each GPP with the File Match item-level targeting, you can ensure an environment variable is only applied to computers containing the application that needs them.
Ever have to work with an application whose settings are stored not in the registry, but in one or more files? There are still plenty of applications around that use files for storing their entire-machine and specific-user information. Files are great because they’re easy to work with, but they can be hard when multiple users need configurations on multiple machines.
The “preferences” in Group Policy Preferences highlights the fact that GPPs don't have to be enforced. It is entirely possible (and encouraged!) to use GPPs for defining a user’s or an application’s initial configuration. Once that initial configuration is set, users can then make whatever changes suit their needs.
Files are a GPP found in either half of a GPO. This GPP enables you to copy files from a source to destination location. They’re absolutely useful for copying files for those applications that need them. Just create your initial configuration, add that file to a GPP, and see it automatically distribute out to any relevant computer. Check the box for Apply once and do not reapply under the GPP’s Common tab if you want to give users the preference and not the policy.
While there remain some apps that store configurations in files, the vast majority of them today use the Windows registry. Back before GPPs, making registry changes was notoriously difficult, especially if they were to the HKEY_CURRENT_USER hive.
GPPs once again come to the rescue for locking down (or suggesting) application configurations, across both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. In a GPO you’ll find Registry GPP support in both the Computer and User Configuration halves. You can guess which hive each half corresponds to.
More on Group Policy Preferences
Often, however, the hardest part of controlling registry values is merely finding them. The software packager tool can help. Many software packagers do their work by analyzing two snapshots of a system, one before the application and another after it completes. By looking for what’s different between these two snapshots, the packager can identify what files and registry keys were changed by an installation.
You can use that same process to figure out which registry value an application setting corresponds to. The trick: Do the initial snapshot with the application already installed. Change the application setting, and then do the second snapshot. Whatever changed is what you’ll enter into the Registry GPP.
You think you’re smart because you’ve published your printers into your Active Directory, but even the most well-documented (and well-named) printer structure can still confuse users. Why not map whatever printer is closest to them, automatically?
You can with Printers in a GPP, linked with either the Computer or User half of a GPO. You’ll also need the aid of some setting on each computer that identifies where that computer lives. A common one is its subnet.
If your network engineers have laid out subnets by location, you can use that network in a GPP’s Item-Level Targeting. Just add it as an IP Address Range, and the next time users log in they’ll automatically attach to their closest printer.
GPPs aren’t even new technology. They’ve been around since the release of Windows Server 2008. They’re stable, they’re easy to use, and they’re a technology you already have on-hand. No extra software (or budget) needed.
If you haven’t spent much time with this incredibly useful administrative solution, give them another look. Coupled with their Item-Level Targeting, they’re a great way to finally eliminate those nasty logon scripts forever.
You can follow SearchWindowsServer.com on Twitter @WindowsTT.
ABOUT THE AUTHOR
Greg Shields is a Partner and Principal Technologist with Concentrated Technology, an IT analysis and strategic consulting firm. Contact him at http://www.ConcentratedTech.com.